Sunday, July 29, 2007

You may have seen the story that came out a few days ago about how a man who stole the identity of Todd Davis, CEO of the LifeLock company and used the information to get a $500 loan.

The man, who has never been identified, had obtained Davis’ name and Social Security number . . . which is probably not surprising since Davis apparently posts his SSN on the LifeLock website. Davis seems to have hired a private investigator to track down the identity thief, which the investigator did. After keying in on a suspect, the investigator apparently told police who the suspect was and that he was in Forth Worth, Texas.

While the police were waiting for subpoenaed records from AT&T to confirm that the IP address used in the theft was linked to the person the private investigator had identified, the investigator went ahead and interrogated the suspect in Forth Worth. Indeed, the investigator not only interrogated the suspect and got him to confess to using Davis’ name and SSN to obtain the loan, he had a film crew tape the whole thing. . . even though police seem to have suggested this was not a good idea.

You probably think that ended the matter, because a videotaped confession is pretty devastating evidence in any case, even a $500 falsified loan case. Actually, it did not. The suspect was not, and will not be prosecuted for what he did because the police concluded he was coerced into confessing.

From the little information I can locate, it seems the man was mentally disabled. And according to a news story, a senior police officer who was involved in the case, Fort Worth Sergeant J.D. Moore, said the confession was coerced:

`They went to his house with a camera crew and they yelled at him and browbeat him into signing a confession that they had already typed out,’ Moore said.

The man told police he was informed that if he did not sign the confession and agree to do community service, police would be coming to arrest him.

`That makes them judge, jury and executioner,’ Moore said.

After discussing the confession with the Tarrant County prosecutor, police closed the case and have no plans to arrest or otherwise pursue the suspect. They do seem to have worked out a voluntary arrangement by which he will provide community service, which seems to have been the penalty he would have gotten had he been prosecuted and convicted.

Personally, I have no problems with how the Fort Worth police and prosecutor’s office handled the case. It seems a fair outcome, both in terms of saving everyone’s time (if the penalty wound up being the same) and in terms, perhaps, of factoring in the man’s mental disability.

What I don’t understand, though, is why they decided they couldn’t use the confession. And let me explain why, briefly.

There are two standards that govern the admissibility of a confession as a matter of constitutional law. We all know the first one – the Miranda rights. There’s no indication the private investigator gave the suspect Miranda rights, but he didn’t have to. Miranda rights only come into existence (or “vest” in a specific person) when someone is taken into custody (formal arrest or other kind of detention) by police. Miranda protects you from the police, not from your employer, not from private investigators, not from your neighbors, etc. The Supreme Court has on many occasions made it very clear that the Miranda rights are intended to address a very specific “evil:” custodial interrogation by police officers (and you must know they are police officers – doesn’t apply if you do not because, say, they are undercover).

So Miranda does not apply. But you usually don’t refer to a failure to give Miranda warnings when they’re required as resulting in a “coerced” confession. Instead, you say there was a “Miranda violation.” That leads me to believe the Fort Worth authorities had the other standard in mind.

Back in 1936, the Supreme Court decided a case called Brown v. Mississippi, in which several defendants challenged their conviction for murder. The conviction was based on their confessions. They confessed because they were whipped and told they would be whipped until they confessed to the murder. At trial, the officers who whipped the men admitted it, but the court let the confessions in and they were convicted.

The Supreme Court said, in essence, “you can’t do that because it is inconsistent with our constitutional principles of justice and fair play.” The umbrella term for those principles is due process – the government can prosecute and convict you, but to do so it has to follow certain procedures (certain “process”) that adequately guarantee your rights to a fair trial. So the Brown Court said any use of torture to extract a confession violated due process and the confession cannot be used in court.

Over the last roughly 70 years, courts have expended the Brown standard so that it now encompasses egregious psychological coercion as well as physical torture. Police can lie to suspects and trick them, but they cannot go too in doing either or in, essentially, browbeating a suspect. They can’t threaten a suspect with torture or with capital punishment only to get a confession, nor can they promise to let him go if he’ll just tell them what happened (having no intention of letting him go).

I’m assuming, then, that the confession in this case qualified as coerced because the private investigator engaged in what a court would find to be egregious psychological coercion. What I don’t understand is why it matters. In Colorado v. Connelly, 479 U.S. 157 (1986) the U.S. Supreme Court held that the due process standard only applies to police coercion. Specifically, the court said that “coercive police activity is a necessary predicate to finding that a confession is not voluntary within the meaning of the due process clause, and even the most outrageous behavior by a private party seeking to secure evidence against a defendant does not make that evidence inadmissible.”

So I don’t see why the private investigator’s coercing the suspect would make the confession inadmissible. The Connelly Court said that when a private party gets a confession, it can be admitted at court but the defendant can challenge it as not having been voluntarily given and not being reliable (because it was coerced).

The other thing that often happens when a private party gets a confession but there’s a Miranda problem (the rights weren’t given and the court decides the private party was acting as an agent of the police, so they should have been) or a due process problem is that police re-interrogate the suspect . . . giving Miranda rights at the beginning and not engaging in egregious coercion. Courts consistently hold that a subsequent confession can be admissible if the police conduct in effect “cures” the prior problem (assuming there was one, which I’m not sure there was in this case.)

This may not seem like a cybercrime issue, but I think it is. One thing we’re seeing with cybercrime is the increased involvement of private citizens in the investigative process (think “To Catch a Predator”). This also comes up when a business has been the victim of a cybercrime they think has been committed by an insider and they launch their own investigation . . . complete with interrogating employees.

I’ve wondered for some time if we need, perhaps, to re-think certain of the limitations the Supreme Court has put on the interrogation standards so that it would be difficult for, say, a private employer to coerce a confession from an employee, give the confession to the police and let them take it from there. As I said, in that instance the employee’s only option might be to argue, at trial, that the confession was unreliable. And maybe that’s okay . . . ?

Monday, July 23, 2007

I got a really good question not too long ago (it’s taken me too long to respond, I’m afraid): How long can the government keep the computers it seizes in a criminal investigation?

It’s a very good question because, as I thought about it and did a little research, the answer seems to be a variation of “it depends” and “beats me.” There are some state statutes, which I’ll talk about in a minute, that deal with the retention of seized evidence in general, but it seems the practice in this area varies . . . from state to state, maybe even from courthouse to courthouse. So I can’t promise you any definitive answers here (though I’d love to hear one if you have it?). All I’m going to do is to talk about the issue, the law I found, and the policy questions.

Let’s start with a few basic principles. First, I’m going to assume we’re dealing only with evidence (property, tangible or intangible) that was lawfully seized in the execution of a search warrant. I’m also going to assume, as I explain below, that the evidence seized was used against you in a criminal proceeding; that is, I’m assuming you were charged with a crime and that your seized property was used against you at your trial on those charges. Evidence can also be lawfully seized if the owner consents to the seizure, but since the person who gives consent can withdraw it at essentially any time. I’m not sure consent seizures are at issue here.

The other basic principle is the default procedure the law establishes for getting back property that has been lawfully seized with a search warrant. I’m sure we’re all familiar with the process of moving to suppress evidence; that tends to be the scenario in most reported cases, because the stakes are a lot higher if and when you’re charged with a crime and they want to use your property against you. Here, the person filing the motion is not seeking the return of the seized property (though that could follow if the motion to suppress is granted); they’re trying to block its being used against them in a criminal case.

We’re not concerned with motions to suppress here; our concern is with whether the government can keep the evidence (property) they seized from you and then used against you. (I suppose we’re also concerned with the situation in which they use a search warrant to seize your property, charge you with crimes as to which that property constitutes evidence, and then you somehow get the charges dismissed, which ends the case.)

As I explained in an earlier post (“Seeking the return of seized computers”), the way you go about trying to get your seized property back if (i) you have not and clearly are not going to be charged with a crime or (ii) you have been charged with a crime, the evidence was used at trial, and you’ve been convicted, acquitted or got the charges dismissed somehow. The point is that we’re concerned only with (ii) because in (i) the government has absolutely no justification for hanging on to your property.

Basically, as I explained in that earlier post, you file what in the federal system is called a “Rule 41(g) motion,” because you file the motion under Rule 41(g) of the Federal Rules of Criminal Procedure. Rule 41(g) says that a “person aggrieved . . . by the deprivation of property [seized by the government] may move for the property’s return.” If the court grants the motion, it returns the property; if it does not grant the motion, you don’t get your property back.

Nothing in the law is simple, but basically the rule is that a court should not grant a Rule 41(g)-style motion for the return of seized property as long as there is a criminal case “pending” against the owner, a case with regard to which the property is relevant as evidence. “Pending” seems to be construed broadly.

In United States v. Marabini, 2006 WL 3921906 (U.S. District Court – Southern District of Florida), Marabini moved for the return of two computers that were apparently seized pursuant to a search warrant. He asked that these “personal assets” be returned and given to his fiancé, because he had already (i) pled guilty to all the charges against him, (ii) been sentenced and (iii) agreed to forfeit $150,000 to the U.S. (basically as a way to disgorge money he’d allegedly earned from the crimes with which he was charged, i.e., unlawfully dealing in steroids and human growth hormone).

The government opposed the motion “arguing, among other things, that the computers . . . were properly seized as `evidence of a crime’ and, therefore, should not be returned until it is no longer needed as evidence.” Marabini, supra. The government said the proceedings in the case had not ended because Marabini had not (i) appealed his conviction and/or (ii) filed a petition for habeas relief. Marabini, supra. (In an appeal, a defendant directly challenges what occurred below; in a habeas petition, the defendant raises what’s called a collateral attack, which differs procedurally, but both try to knock out the conviction).

So, you’re not likely to win on a motion for return of property if there is any prospect that something can still occur in, or in relation to, the criminal case as to which it constitutes evidence.

But I’m not sure that’s really the issue the person I mentioned earlier raised. I think the question there was, essentially, can they keep seized computers FOREVER? So now let me take a shot at that.

The length of time the government can kept property it’s seized as evidence doesn’t seem to have been much of a concern, until recently. The big issue in that area now concerns DNA evidence, and there are statutes and other efforts to ensure that courts retain biological samples collected as evidence in a criminal case . . . essentially forever because, as we have seen, they can result in the release of innocently-convicted people.

But computers are different. If the government takes a sample of your DNA, you don’t lose your DNA; you still have it, so there’s really not a good “property” kind of argument here. You could say the same thing about seized data, but that’s a different issue, as I’ll note at the end of this post.

Leaving aside DNA-specific statutes, some states (not all by any means, it seems) have statutes that set a time period (e.g., 1 year after conviction, 3 years after conviction) for the retention of evidence used at trial. A few allow the owner to claim the property at the end of that period, unless it’s contraband (drugs) or firearms or a few other problematic things. If the owner is allowed to and doesn’t claim his property (and, maybe, even if that isn’t an option, hard to tell in some cases), then some statutes allow the court to order that it be destroyed or sold, with the proceeds going, usually, to the court. Other states have statutes that allow the prosecutor (or some other official) to file a motion seeking the disposal, sale or destruction of evidence used in a criminal case after the case is no longer “pending.”

I’ve also read that in some states it’s pretty much up the court clerk’s office. I get the sense that in those states they hang onto things and then, when they run out of space, they get rid of some of them.

As you can maybe see from this very brief outline of state law in this area, no one seems to have given much thought to the retention of evidence, historically. It seems to have treated pretty pragmatically: someone asks for it back, maybe we’ll return it, maybe not; we’ll keep it till we don’t have space, then get rid of it. I can’t seem to find any federal statutes on point, so I’m assuming federal courts handle this via local rules and practices.

I suspect, then, that in state and federal cases computers and computer data would be treated pretty much the same way. That is, I assume the government hangs onto the computers and data until it is really, really sure the case is no longer “pending.”

There’s a related, slightly different issue that comes up with the seizure (copying) of computer data, but this is already a long post, so I’ll address that issue next time.

Following up on a my relatively-recent post about grand jury subpoenas for computer hardware and data, I want to talk a bit about a different kind of grand jury subpoena: a forthwith subpoena.

A forthwith grand jury subpoena looks pretty much like any grand jury subpoena and, like the “regular” grand jury subpoenas I discussed last time, is issued by a grand jury to obtain evidence the grand jury believes will be relevant to its investigation of federal criminal activity. A forthwith subpoena is a subpoena duces tecum, that is, it orders the recipient to produce physical evidence (files, guns, computer equipment, data, etc.) to the grand jury.

What is different about a forthwith subpoena lies not in the way it is issued or in what it commands the subpoena recipient to do. What is different is the time frame the recipient is given in which to comply with the subpoena’s demands. As its name suggests, a forthwith subpoena orders the recipient to product the evidence described in the subpoena “forthwith,” or immediately.

What does that mean in practice? Well, to understand what it means and why this is significant, let’s talk about what a normal, non-forthwith grand jury subpoena duces tecum requires of the recipient. A regular grand jury subpoena duces tecum will order the recipient to produce evidence to the grand jury on or before a specified date; it will give the subpoena recipient some time, which can vary between, say, one week to several weeks to comply with the subpoena’s demands. There are at least two reasons for giving the recipient a substantial amount of time to comply.

One is purely practical; if, say, a grand jury issues a subpoena to a company that orders it to produce its business records for the last two years, the company will need time to comply with the request. If the records, or some of them, are only available in hard copy, the company will need to copy those records and find out from the prosecutor if the grand jury will accept the copies or wants the originals. Either way, the company won’t want to give away its only copies of the records. It will do something similar for its electronic records, being sure to provide, and retain, a copy of them.

Another reason why recipients are given time to comply is that the subpoena may ask for records concerning particular events or transactions, often over a large time frame, and it will take some time for the business to identity the records that are, and are not, responsive to the subpoena. An attorney advising a company dealing with a subpoena like this will tell the company to be sure to provide every record that is responsive to the subpoena’s demands, but not to provide information that has not been asked for. The attorney will also tell the business to be sure to keep careful, precise track of what was, and was not, provided.

The other reason why subpoena duces tecum recipients are given time in which to comply with the subpoena is that they can, as I noted in my last post, challenge the subpoena by filing a motion to quash it. The motion to quash asks the court to void the subpoena for legal reasons, such as that producing what it asks for would violate the recipient’s Fifth Amendment rights or violate a valid privilege, like attorney-client or doctor-patient privilege. The subpoena recipient’s ability to challenge the validity of the subpoena before complying with it is an essential aspect of the due process of law; it ensures that people can have illegal or overbroad subpoenas quashed and, in so doing, protects our privacy and other civil rights.

Forthwith subpoenas eliminate this window of time to comply with the subpoena. As I noted above, a forthwith subpoena tells the person to comply “forthwith,” or immediately. Sometimes, that means the person must produce the evidence the day the subpoena is served or the day after it is served. Sometimes it means what it says. A few years ago, FBI agents served a forthwith subpoena on a law office in Detroit that ordered the lawyer to whom it was directed to “`forthwith, provide all requested items immediately to . . . the grand jury” by handing them over to the FBI agents.

A forthwith subpoena was used several years ago to obtain a laptop, in what I think is a cautionary tale on how one should deal with these subpoenas.

A federal grand jury in Connecticut was investigating possible racketeering and other criminal activity carried out by Triumph Capital Group, Inc., an investment firm with its principal place of business in Boston, certain of its officers and agents and certain state officers and employees. U.S. v. Triumph Capital Group, Inc., 211 F.R.D. 31 (D. Conn. 2002). According to the opinion, after the grand jury had subpoenaed records from the company, an informant told the FBI agent working with the grand jury, Charles Urso, that Triumph had not produced records that were relevant to the subpoena; according to the informant, Charles Spadoni, Triumph’s Vice President and General Counsel, said the records which had not bee produced needed to be “purged” and that he had bought a shredder program to purge or “blow out” data on a computer. U.S. v. Triumph Capital Group, Inc.,supra.

The informant didn’t know what computer or records, if any, Spadoni was talking about, so Urso did some checking. With the assistance of agents who were specially trained in computer forensics, Urso discovered that records which seemed responsive to the grand jury’s subpoena had not been produced; instead, they had been downloaded from the company’s computers into a laptop. All the FBI agents knew about this laptop was that it had existed and had been used primarily by Spadoni. U.S. v. Triumph Capital Group, Inc., supra. They were very concerned that Spadoni might have the laptop and might be intending to use the shredder program the informant mentioned to delete all the data it contained, which could obstruct the investigation.

So, they needed to get the laptop as soon as possible. The obvious thing would have been to get a search warrant for the laptop, because they clearly had probable cause to believe there was evidence of a crime on its hard drive. The problem lay in another aspect of the Fourth Amendment: It requires that any search warrant particularly describe the place to be searched and the thing(s) to be seized. They could describe the laptop itself with a fair degree of particularity, but they had no idea where it was. As far as they knew, if it still existed “it could be in Triumph's Boston office, its Hartford office, Spadoni's home, Spadoni's car, or the place where Spadoni stayed when he worked at Triumph's Boston office” or somewhere else. U.S. v. Triumph Capital Group, Inc., supra.

They could have had the grand jury issue a regular subpoena duces tecum for the laptop, but they were afraid that would give Spadoni (or whomever) time to destroy its contents. So, instead, on

April 11, 2000, [Agent] Urso appeared before the grand jury and requested a forthwith subpoena directing Triumph to produce the laptop computer by 4:30 p.m. that day. In support of his request, S.A. Urso told the grand jury that a forthwith subpoena was necessary because a real danger existed that more evidence, or even the laptop computer itself could be destroyed if Triumph had advance notice that the government wanted to search it.

U.S. v. Triumph Capital Group, Inc., supra.

The grand jury issued the forthwith subpoena and Nora Dannehy, an Assistant U.S. Attorney working with the grand jury served it on Triumph by handing it to Tracy Miner, a lawyer with the firm of Mintz, Levin and one of Triumph's attorneys. She was served while waiting outside the grand jury room with a Triumph employee who had been subpoenaed to testify that day. Ms. Miner was told Triumph should deliver the laptop “immediately.”

Ms. Miner . . . called Triumph's Hartford office and learned that neither Spadoni nor the laptop computer were there. She then called Spadoni's attorney and McCarthy and learned that the laptop computer was at Triumph's Boston office. She asked Triumph to deliver the laptop computer to Mintz Levin's Boston office.

Ms. Dannehy denied Ms. Miner's request for more time and instructed her to produce the laptop computer by 5:00 p.m. that day.

U.S. v. Triumph Capital Group, Inc., supra. After the laptop arrives at Mintz Levin’s office in Boston, it was given to a courier service to be delivered to the grand jury in Hartford. The courier service delivered it to agent Urso, in the federal courthouse, at approximately 4:45 p.m., fifteen minutes before the deadline. The FBI agents got a search warrant before they analyzed the contents of the laptop.

When the laptop was analyzed, federal agents found incriminating evidence they sought to use against Triumph Capital, Spadoni and a number of other people whom the grand jury had charged in a lengthy indictment. The defendants later moved to suppress the evidence found on the laptop arguing that (i) the use of the forthwith subpoena was improper and (ii) the procedure used to obtain custody of the laptop violated their Fourth and/or Fifth Amendment rights (for reasons I won’t go into).

Forthwith subpoenas are controversial because, as I noted above, they don’t conform to the usual reasonable-time-to-comply aspect of subpoenas duces tecum. As you saw at the beginning of this post, the U.S. Department of Justice recognizes that, and has adopted a policy that says they should be used “only when an immediate response is justified and then only with the prior approval of the United States Attorney.” U.S. Department of Justice, U.S. Attorney’s Manual section 9-11.140. The district court found that an immediate response was justified here, and the U.S. Attorney apparently approved the subpoena.

What about the constitutional claims? Well, the individual defendants might well have had viable claims under the Fourth and Fifth Amendments (corporations have no Fifth Amendment privilege against self-incrimination and a reduced level of protection under the Fourth Amendment) . . . but there was a problem. See, U.S. law says, with regard to constitutional protections, “use it or lose it.” In other words, raise your objection before you do anything – confess, hand over evidence in response to a subpoena – or you will be deemed to have waived your right to raise that constitutional objection.

And that is precisely what the district court held in this case. The court noted that Ms. Miner did not file a motion challenging the forthwith subpoena before complying, and that this was not due to any threats or coercion by the government. Instead, she and her client voluntarily complied with the subpoena. U.S. v. Triumph Capital Group, Inc., supra. At the suppression hearing, she said “she believed that it would be contemptuous to not comply with the subpoena and that she did not have sufficient time or opportunity to consult with her client or Spadoni's counsel to discuss what was on the laptop computer and prepare a motion before the 5:00 p.m. deadline.” U.S. v. Triumph Capital Group, Inc., supra. The district court pointed out that she was an “experienced” criminal defense attorney and, therefore, knew or should have known that by complying she waived her client’s right to raise certain objections.

The Sixth Circuit Court of Appeals reached the same result in that case I mentioned earlier, the one in which the forthwith subpoena was served on the lawyer at the law firm. He said pretty much what Ms. Miner said – that he didn’t know he could challenge the forthwith subpoena, since it required him to produce the evidence “immediately” to the FBI agents standing in the office.

That is why this is a cautionary tale: Should you ever receive a forthwith subpoena, for a computer or data or a television set or a gun or anything else, remember that if you comply instead of challenging the subpoena, you may well have given up the right ever to challenge the legality of that subpoena.

Whoever prepares a crime according to §202a or §202b and who creates, obtains or provides access to, sells, yields, distributes or otherwise allows access to

* passwords or other access codes, that allow access to data or * computer programs whose aim is to commit a crime

will be punished with up to one year jail or a fine.

I assume, though I have not seen this in the few stories I’ve seen about the new German law, that the German Parliament passed it as part of the country’s effort eventually to ratify the Council of Europe’s Convention on Cybercrime. Germany signed the treaty back in 2001, but like many countries that have signed it, they have not yet ratified the Convention.

The usual reason for the delay in ratifying is that a country needs to get its local law up to the standards required by the Convention, and Article 6 (“misuse of devices”) of the Convention requires that:

Each Party shall adopt such legislative and other measures as may be necessary to establish as criminal offences under its domestic law, when committed intentionally and without right:

a the production, sale, procurement for use, import, distribution or otherwise making available of:

i a device, including a computer program, designed or adapted primarily for the purpose of committing any of the offences established in accordance with Articles 2 through 5;

ii a computer password, access code, or similar data by which the whole or any part of a computer system is capable of being accessed,

with intent that it be used for the purpose of committing any of the offences established in Articles 2 through 5; and

b the possession of an item referred to in paragraphs a.i or ii above, with intent that it be used for the purpose of committing any of the offences established in Articles 2 through 5. A Party may require by law that a number of such items be possessed before criminal liability attaches.

Article 6(2) of the Convention notes, though, that the provisions set out above

Shall not be interpreted as imposing criminal liability where the production, sale, procurement for use, import, distribution or otherwise making available or possession referred to in paragraph 1 of this article is not for the purpose of committing an offence established in accordance with Articles 2 through 5 of this Convention, such as for the authorised testing or protection of a computer system.

Articles 2-5 of the Convention define unauthorized access to computer systems and related offenses. I don’t know if the new German law includes a provision that restates the exclusion given in Article 6(2) or not.

So what is the point of all this? As I think I’ve said before, laws like this are, as far as I can tell, analogues of laws many U.S. states have which make it illegal to possess what are called “burglar’s tools.” They’re all pretty much the same. Here is Colorado’s possession of burglar’s tools statute:

A person commits possession of burglary tools if he possesses any explosive, tool, instrument, or other article adapted, designed, or commonly used for committing or facilitating the commission of an offense involving forcible entry into premises or theft by a physical taking, and intends to use the thing possessed, or knows that some person intends to use the thing possessed, in the commission of such an offense.

Colorado Revised Statutes Annotated section 18-4-205(1). Possessing burglar’s tools is a Class 5 felony in Colorado, which is apparently punishable by imprisonment for 1-2 years followed by one year of parole. Colorado Revised Statutes Annotated section 18-1.3-401(1)(a). I suspect the sentence is pretty much the same in all the states that have this crime.

As I think I’ve mentioned before, the reason for having this crime is to let law enforcement officers step in and interrupt a crime before (presumably) it’s about to be committed. So if they stop someone in a car or someone sneaking down an alley and find they’re carrying burglar’s tools as defined above, the officer can arrest that person for possessing the burglar’s tools. This does two things: First, it means the officer doesn’t have to hang around and wait until the person actually breaks into a house or business in order to be able to make an arrest; law long ago decided that’s not a good way to go, since it radically increases the danger to those who may be inside the burgled building, as well as maybe the officer, too.

Now, even without a possession of burglar’s tools offense, an officer could arrest the person sneaking around with what are clearly tools intended to be used to burgle for the distinct crime of attempted burglary. Attempt crimes were invented, at least in the Anglo-American legal system, purely to let officers interrupt criminal activity before the criminal had gone all the way and was actually involved in the commission of what laws calls the substantive crime. Burglary (like murder, homicide, any crime with a completed “harm) is a substantive offense, while attempt is an incomplete, or inchoate crime.

So where does this leave us with the new German law? Well, I assume the immediate driver was the country’s desire to be able to ratify the Convention on Cybercrime. And I assume the reason for including this provision in the Convention was a version of the burglar’s tools rationale.

This provision establishes as a separate and independent criminal offence the intentional commission of specific illegal acts regarding certain devices or access data to be misused for the purpose of committing the above-described offences against the confidentiality, the integrity and availability of computer systems or data. As the commission of these offences often requires the possession of means of access ("hacker tools") or other tools, there is a strong incentive to acquire them for criminal purposes which may then lead to the creation of a kind of black market in their production and distribution. To combat such dangers more effectively, the criminal law should prohibit specific potentially dangerous acts at the source, preceding the commission of offences under Articles 2 – 5.

Explanatory Report, Convention on Cybercrime, paragraph 71.I find the uproar in Germany particularly interesting given that I’ve never noticed anything similar here . . . and we not only signed the Convention on Cybercrime in 2001, we ratified it last year. To ratify it, of course, we, too, have to have law implementing the provisions of Article 6(1). You can find those provisions in sections 1029 and 1030 of title 18 of the U.S. Code – the federal criminal code, in other words.

Wednesday, July 04, 2007

I’ve talked a lot about Fourth Amendment constraints on law enforcement officers’ ability to search for and seize computer equipment and data. That’s one of the two models of criminal investigation we have in the United States.

Today, I want to talk about the other model and how it operates with regard to the government’s obtaining computer equipment and data stored on that equipment.

The “other” model is the grand jury model. The United States is the only country that uses grand juries. The Fifth Amendment to the U.S. Constitution requires that charges for all serious crimes (felonies, essentially) be brought by indictment, and only a grand jury can bring an indictment.

An indictment is a set of charges “returned” by a grand jury. A grand jury is a group of people, who are summoned just like regular trial jurors and sit to determine not guilt or innocence of charges that have been brought, but to decide if there is probable cause to charge someone with a crime, a federal crime, so far. So, the federal system has to use grand juries to charge people; that’s one grand jury function. Part of deciding whether there is probable cause to charge someone with a crime is investigating the possibility that a crime occurred, and that brings me to the second grand jury function. Grand juries, especially at the federal level actively investigate crime by requiring witnesses to appear and testify, under oath (think Scooter Libby), and by requiring individuals and/or corporations to produce evidence, such as records, for the grand jurors to review.

The way a grand jury requires witnesses to show up and testify and individuals or corporations to produce evidence is by issuing a subpoena. Subpoenas (grand jury and otherwise) are of two basic types: A subpoena ad testificandum requires someone to show up and testify; in grand jury practice, it requires someone to appear before the grand jury issuing the subpoena and ask questions put to them by the prosecutor working with the grand jury and by the grand jurors, if they wish to ask the witness questions. A subpoena duces tecum is used to obtain evidence; it requires the person or entity to which it is issued to produce specified evidence to the grand jury on or before a certain date.

Failure to comply with either type of subpoena means that the person or entity that was subpoenaed will be held in contempt. For individuals, this means they will be locked up until they choose to comply. A few years ago, Susan McDougal served 18 months in jail for refusing to testify before the White Water grand jury, and I’m sure we all remember Judith Miller, who spent 85 days in jail before deciding to testify before the Plamegate grand jury. Since corporations and other artificial entities (partnerships) cannot be locked up, they will be required to pay heavy fines (thousands of dollars a day) for each day they refuse to comply with a grand jury subpoena.

Okay, just a little more background and I’ll get to grand jury subpoenas for computers.

If a subpoena recipient does not want to comply with a subpoena, the proper thing to do is to challenge it by filing a motion to quash (not squash, when I was in practice in Chicago I had a client who wanted me to “squash that grand jury subpoena”) with the court that supervises the grand jury. The motion to quash says, essentially, that the subpoena should not be enforced for particular reasons. An attorney might argue, say, that the subpoena would require her to violate attorney-client privilege by testifying or by producing records.

Another basis for challenging a subpoena that requires the production of evidence is to argue that it is overbroad, i.e., asks for too much . . and that brings us to computer subpoenas. Since the whole issue of subpoenas tends to be very complex, I’m going to focus on only one issue in this post, and try to use a couple of cases to illustrate how that issue comes up and why it can be important.

The first case is a state case. States use grand juries, too, in the same ways the federal system does. Most states have county grand juries to investigate and bring charges for local crimes; some states have also statewide grand juries, which investigate larger-scale criminal activity. The first case – In re Twenty-Fourth Statewide Investigating Grand Jury, 589 Pa. 89, 907 A.2d 505 (Pennsylvania Supreme Court 2006) – involves a newspaper’s challenge to a statewide grand jury subpoena.

Here are the essential facts in that case:

In February and July 2006, Lancaster Newspapers, Inc. was served with two subpoenas issued under the authority of the Twenty-Fourth Statewide Investigating Grand Jury, commanding it to produce four computer workstations (Subpoena 314) and two additional computer hard drives (Subpoena 686). . . .The newspaper maintains that . . . , it agreed to provide the Attorney General's office with all available documentation deriving from the hard drives related to the subject of the investigation and to make the computer hardware available for inspection at Lancaster Newspapers' office in the presence of newspaper personnel. Upon rejection of such conditions by the Office of Attorney General, the newspaper initiated proceedings before the judge supervising the grand jury proceedings, seeking to quash Subpoena 314. The newspaper contended, inter alia, that the subpoena was overbroad because it required production of information that was not relevant to the grand jury investigation. . . .

In re Twenty-Fourth Statewide Investigating Grand Jury, supra. The judge supervising the grand jury denied the motion to quash, and the newspaper appealed.

On appeal to the Pennsylvania Supreme Court, the newspaper argued that the subpoena in question was

overbroad, in that it obviously requires production and potential disclosure of information beyond that which is relevant to the grand jury inquiry. The newspaper discusses a “chilling effect” that the surrender of entire computer hard drives to the government by the media will have on its ability to utilize confidential sources and to gather news information. According to the newspaper, less intrusive means were available to be utilized by the government and/or grand jury to accomplish their investigative purposes.

In re Twenty-Fourth Statewide Investigating Grand Jury, supra. This is a good argument because the U.S. Supreme Court and state courts have read a “reasonableness” requirement into subpoenas requiring the production of evidence.

The reasonableness requirement means, for example, that the government can’t just issue a subpoena asking for “everything” a business has and expect to prevail, at least not unless it can show why it really, truly needs “everything” the business has. The reasonableness requirement is intended to protect subpoena recipients by ensuring that they do not have to expend impossible and/or unreasonably expensive efforts to comply with subpoenas. It tries to strike a balance between what the government really needs and what is fair to the person or entity that has to locate and produce all this evidence. It also, as you can see from the argument above, tries to ensure that subpoenas are no more intrusive than they have to be.

The novel issue that’s come up in the few reported computer subpoena cases is whether the government (i) can simply require a person or a business to produce their computer equipment (hard drives, computers, data storage devices) or (ii) must instead focus the subpoena’s demands on producing particular information that is relevant to the grand jury’s inquiry. In an early computer evidence case – In re Grand Jury Subpoena Duces Tecum, 846 F. Supp. 11 (Southern District of New York 1994) – a federal court bought the subpoena recipient’s argument that requiring someone to produce hard drives and other computer hardware, simply to give the government access to some of the data stored in those devices, was unreasonable because it was analogous to requiring a business to produce all its file cabinets, with all the documents contained in them, so the government could gain access to the subset of documents that were actually relevant to the grand jury’s investigation. The New York court granted the subpoena recipient’s motion to quash and told the grand jury to try again, this time with a subpoena that only required the production of information relevant to its investigation.

And that’s essentially what the Pennsylvania Supreme Court did. It found that the subpoena at issue in that case was in fact overbroad and vacated the lower court’s order enforcing it, without prejudice . . . which means the state Attorney General’s office could try again with another subpoena. The court noted that one way to resolve the problem would be for the lower court to appoint a neutral expert who would review the data on the hard drives and decide what should, and what should not, be produced to the Attorney General. It also noted there might be valid reasons why the Attorney General’s office would need the hard drives – one being to have them forensically examined.

The Pennsylvania court explained, however, that “any direct and compelled transfer to the executive branch of general-use media computer hardware should be pursuant to a due and proper warrant, issued upon probable cause.” In re Twenty-Fourth Statewide Investigating Grand Jury, supra. Requiring the government to obtain a search warrant further protects the subpoena recipient (the newspaper, here) because it means the government has to show specific reasons why it needs particular evidence being held by the subpoena recipient.

That raises the bar for the government and, in so doing, protects citizens, because subpoenas issue with no showing of probable cause or any other reason to believe relevant evidence will be produced. Earlier, I talked about the two U.S. models of criminal investigation; each has its own way of trying to protect individual rights of privacy and possession of property: The traditional law enforcement model does that by requiring police to obtain a search warrant based on probable cause or otherwise satisfy the requirements of the Fourth Amendment before they go out and get evidence. The grand jury model does that by allowing the recipient of a subpoena to go to court and move to quash the subpoena. Here, the Pennsylvania Supreme Court was playing Solomon, to some extent by holding that some evidence just may not be obtainable by grand jury subpoena; if and when that is the case, the Fourth Amendment gives the government another way to go about trying to obtain that evidence.

The bottom line here is that if you or anyone you know ever receives a grand jury subpoena requiring the production of hard drives and other computer hardware, it might be a good idea to consult a lawyer and see if the terms of the subpoena seem to be overbroad. That can be very important because once someone produces evidence to a grand jury, they waive their rights under the Fourth and Fifth Amendments to claim that the evidence was obtained illegally.

Sunday, July 01, 2007

Maybe you saw this? New Zealand banks have adopted a new Code of Practice which, among other things, makes customers using online banking responsible for losses that occur if they did not take appropriate precautions to secure the computer they used to do their banking.

The New Zealand Bankers’ Association’s Code of Banking Practice [“CBP”] (4th ed. 2007) begins by advising online banking customers that “[y]our computer . . . is not part of our system therefore we cannot control and are not responsible for, its security.” CBP page 33. It follows this disavowal of institutional responsibility with reassurances that “we will inform you . . . how best to safeguard your online information and the steps you should take to protect yourself and your own computer from fraud, scams or unauthorized banking transactions.” CBP page 33.

As to the latter, the CBP says the financial institution will have available online “information and advice” on the benefits of installing and maintaining protection, in respect of, for example” anti-virus software, firewalls, anti-spyware and operating system security updates. CBP page 33. It also says the financial institution will tell you where to find this information “[w]hen we first give you access to our Internet Banking services.” CBP page 33. And the CBP goes on in that vein for another page or two, mostly telling customers what it will and will not do (such as sending emails asking for personal or account data). CBP page 33-34.

The next page or so explains that customers will not be held liable for “Unauthorised Transactions” under various circumstances, such as that you promptly inform the bank that you password or other access information has been compromised. CBP page 36-37. Nothing unusual so far.

But then we get to the section entitled “Your Liability (Responsibility). CBP page 35. This section advises online bank customers that “[y]ou may be liable if an Unathorised Transaction occurs” under any of the following circumstances:

You have a PIN or a password “of a type you have been warned not to choose (this goes back to earlier advice about not using family names, birthdates, pet names, etc.).

You either voluntarily disclosed your PIN or password to someone else or you wrote it down or recorded it electronically.

You used computer equipment “that does not have appropriate protective software and operating system installed and up to date.”

CBP page 37. There are several other circumstances that trigger customer liability for an unauthorized transaction, including leaving “your computer unattended when logged on to the Internet Banking service”. CBP page 37. (I wonder how they can tell when that happened?)

If any of the circumstances listed in this section of the CBP existed when your account was compromised, then your “maximum liability will be the lesser of” (i) the actual loss at the time you notified the bank of the problem or (ii) the amount that would have been available from withdrawal from your account “between the time any unauthorised access was made and the time you notified” your bank. CBP page 37. If you used or allowed your account to be used to access fraudulent or unauthorized transactions, then you “may be liable for some or all of the loss suffered by the party who has been defrauded, regardless of the balance available in your account.” CBP page 37.

And, finally, we come to the section of the CBP that has been creating quite a lot of discussion:

We reserve the right to request access to your computer . . . in order to verify that you have taken all reasonable steps to protect your computer . . . and safeguard your secure information in accordance with this Code. If you refuse our request for access then we may refuse your claim.

CBP page 37.

I want to comment briefly on two aspects of the CBP.

The first is the idea of imposing some responsibility on civilians – regular people – to secure their computers and be cautious when online. I have written about why I think this is a good idea elsewhere, and so won’t belabor the point here.

In the articles I have written on this topic, I explain in detail that the traditional system of crime control – law enforcement’s reacting to completed crimes by apprehending the criminals, who are then convicted and punished – neither is nor will be an adequate strategy for keeping online crime under control. As I explain elsewhere, the traditional model, which works adequately for real-world crime, is based on the premise that if you find and conviction someone who committed a crime, you control the commission of future crimes by (i) taking that offender out of circulation for some period of time (or permanently, if the death penalty applies) and/or (ii) discouraging others from following her example, because they see that the costs of committing crimes outweighs the benefits.

Implicit in this strategy, however, are the premises that (i) you can find the perpetrators of enough crime to have the desired effect and (ii) having found them, you can get custody of them for prosecution, conviction and sentencing. As I demonstrate in detail elsewhere, criminals’ ability to use cyberspace frustrates law enforcement’s ability to apprehend cybercriminals because it becomes difficult, if not impossible, to identify them. And even if law enforcement can identify certain perpetrators, it may not be possible to extradite them for prosecution where the crimes (or some of them) were committed. These difficulties are further exacerbated by the tremendous resource costs entailed by online investigations, costs that must be added to the costs needed to pursue real-world criminals because, after all, people will continue to “harm” each other in various ways in the real, physical world.

Okay, so I think we – the “users” of cyberspace – need to learn that we must assume some level of responsibility for protecting ourselves while online. And elsewhere,I’ve outlined some ideas as to how we go about changing societal norms (which currently tend to assume that crime is the police’s problem and that they will always catch the criminals) to make this one of the endemic, implicit assumptions we all share. So I really don’t have any problem with that aspect of the CBP.

My problem lies with the other aspect of the CBP provisions on “user” responsibilities. The articles I’ve seen about the CBP all focus on what they see as an invasion of privacy that results from the bank’s reserving the right to check the security on your system, apparently after an unauthorized transaction has taken place and you are seeking reimbursement for the losses.

The invasion of privacy concern doesn’t bother me all that much. It seems to me to fall in what the law calls “assumption of risk.” I get what I contract for, in other words. We see this in air travel. I may find airport screening of me and my bags very intrusive, a real invasion of privacy, but the law’s response to is, simply, that I have a choice. I can submit to those procedures, I can travel by other means or I can choose not to travel.

I’m sure some will point out that if all banking institutions starting using codes of this type (as is apparently now true in New Zealand), I won’t have a choice. I wonder. I tend to suspect that a market would grow up for financial institutions that would give their customers alternatives, in the same way bank secrecy became a marketable item in Switzerland and, later, in other countries.

But I don’t want to talk about what doesn’t interest me that much about the CBP. What I find interesting, and flawed, about it is that they seem to be relying on bank inspection of people’s computers as the incentive for customers’ beefing up security on their computers. As I’ve written in elsewhere, I don’t think this kind of enforcement system is the way to go to achieve the result I noted above, i.e., to change our culture so that we all begin to assume a level of responsibility for protecting ourselves online.

I don’t think it’s the way to go for several reasons. One is that customers may conclude (as the authors of articles about the CBP already seem to have concluded) that the tactic is high-handed and overreaching. As we all know, when people (me, included) perceive they’re being treated like that, their response is either to abandon ship (head for another bank) or be passive-aggressive, comply at some minimal level and then argue about it if and when a problem occurs.

The other problem I have with this tactic is the one I’ve written about before in analyzing somewhat comparable schemes (online driver’s license, security checks generally) that would seek to achieve the same thing. Some have argued that we should approach online security the way U.S. states dealt with seatbelts: Seatbelts have apparently been available in cars since the 1960s, but no one really started to use them till roughly twenty years later, when states started adopting “click it or ticket” laws, i.e., laws that made it a very minor offense (like a speeding violation) not to wear a seatbelt. That approach worked for seatbelts, but I don’t think it could ever work for citizen computer security.

Seatbelt laws are easy to enforce because it’s easy for a police officer to tell if you’re wearing on. And seatbelts are easy to use; citizens don’t have to keep adding patches to their seatbelts or upgrade to better seatbelts or any of that.

Why is that important? It goes to the efficacy of enforcement. If people don’t understand WHY they’re supposed to do something, something that isn’t easy for most people today, then they’ll be resistant. Resistance requires pouring more resources into enforcement (think alcohol prohibition in the 1920s and the war on drugs more recently), which, in and of itself, is not ever likely to be effective in getting people to do that “something” you want them to do.

So, I applaud the New Zealand bankers for trying to do something to encourage people to secure their computers and themselves when online. I just don’t think they’ve chosen a very good approach to the task.